Authentication and Access Protection of Computer Boot Modules in Run-Time Environments

ABSTRACT

Methods and systems to authenticate and load a plurality of boot logic modules in corresponding access protected memory regions of memory, and to maintain the access protections in run-time environments. Access protection may be implemented with access control list (ACL) policies expressed in terms of page boundaries to distinguish between read, write, and execute access requests.

BACKGROUND

Root-kits and spyware may be designed to avoid detection by security software executing in on a computer processor platform, to observe user activity, capture user data, perform circumvention of user actions, and other malicious activities.

Trusted platform modules (TPMs) may be used to authenticate an application or service and protect the application or service when executing from memory. TPMs may be implemented in accordance with a Trusted Computing Group Trusted Platform Module (TCG TPM) Specification, Version 1.2, published in October, 2003.

Modular boot logic, such as extensible firmware interface (EFI) boot modules, may be susceptible to malware in an operating environment. For example, EFI drivers and service applications may persist after transition to run-time environments, and operating system applications may call into pre-boot software. In addition, with EFI, entry points into code may be dynamically instantiated, and proprietary interfaces may exist. Malware in a host environment, and potential incompatibilities between third party drivers, may thus impact pre-boot software.

BRIEF DESCRIPTION OF THE DRAWINGS/FIGURES

FIG. 1 is a block diagram of an exemplary computer processor environment.

FIG. 2 is a block diagram of exemplary data and computer instructions corresponding to FIG. 1.

FIG. 3 is a process flowchart of an exemplary method of authenticating, loading, and initializing a plurality of boot logic modules in corresponding page-based access protected regions of memory, and of transitioning the protections to a run-time environment.

FIG. 4 is a block diagram of the exemplary data and computer instructions of FIG. 2, further including extensible firmware interface (EFI) logic modules.

FIGS. 5A and 5B illustrate a process flowchart of an exemplary method of authenticating and loading the EFI logic modules illustrated in FIG. 4.

FIG. 6 is graphical illustration of an exemplary platform boot flow sequence corresponding to FIGS. 4, 5A, and 5B.

In the drawings, the leftmost digit(s) of a reference number identifies the drawing in which the reference number first appears.

DETAILED DESCRIPTION

Disclosed herein are methods and systems to authenticate and load a plurality of boot logic modules in corresponding access protected memory regions of memory, and to maintain the access protections in run-time environments.

Access protection may be implemented with access control list (ACL) policies expressed in terms of page boundaries to distinguish between read, write, and execute access requests. Protected regions of memory may contain executable code and/or initialization data. In a run-time environment, ACL policy may be configured to prevent writing to executable code and/or initialization data, and may be configured to permit one or more of execute-only, execute-read, or read-only access.

Integrity checks performed on memory pages when loaded authenticates the code or logic, and no-write policies protect runtime integrity.

FIG. 1 is a block diagram of an exemplary computer processor environment 100, including one or more computer instruction processing units, illustrated here as processor 102, to execute computer program product logic, also referred to herein as instructions, logic, and software. Processor 102 may include cache memory 103 to store frequently accessed data and/or instructions.

Computer processor environment 100 includes system memory 104, which includes a computer readable medium to store computer readable instructions to cause processor 102 to perform one or more functions in response thereto. Exemplary instructions are described below with reference to FIG. 2.

Computer processor environment 100 includes a memory controller 106 to interface between memory 104 and other devices. Memory controller 106 may include a graphics controller and may include direct memory access (DMA) translation hardware.

Computer processor environment 100 includes an input/output (I/O) controller 108 to interface between computer processor environment 100 and one or more I/O devices through one or more of serial, parallel, and USB ports 110, peripheral component interface (PCI) 112, and integrated drive electronics (IDE) interface 114.

Computer processor environment 100 may include a management system or management engine (ME) 110 to perform one or more management functions with respect to computer processor environment 100. ME 110 may include an instruction processor, illustrated here as a controller 112, which may be a microcontroller, and memory 114 having a computer readable medium to store computer readable instructions to cause controller 112 to perform one or more functions in response thereto. Exemplary instructions are described further below. Memory 114 may include firmware, which may include non-volatile random access memory (NVRAM) that is secure from operating environments of processor 102.

Computer processor environment 100 may include a communication link 118 between controller 112 and processor 102. Link 118 may be configured to permit controller 112 and processor 102 to communicate in a secure mode of processor 102, outside of an operating environment of processor 102, such as during a system management mode of processor 102.

Computer processor environment 100 may include a communication link 122 between controller 112 and one or more information technology (IT) systems 124. IT systems 124 may include one or more of a network administrator, a backend server, and other infrastructure devices. Controller 112 may be configured to send reports or alerts over link 122, and may be configured to receive information over link 122, which may include one or more of instructions, updates, and memory access control list policies, as described further below.

Link 122 may be isolated or secure from processor 102 and operating environment of processor 102, such that link 122 is not interruptible by malware running on processor 102. Such a communication link is referred to herein as an out-of-band (OOB) communication link.

ME 110 may be configured to store alerts when communication link 122 is disabled, and report the stored alerts when connectivity is restored. One or more IT systems 124 may be physically and/or geographically remote with respect to other portions of computer processor environment 100.

Computer processor environment 100 may include a trusted platform module (TPM) 130, which may include authentication measurements, signatures, or values, and instruction logic to cause processor 102 to authenticate instruction or logic modules with reference to the authentication values. Authentication may include comparing a hash of a logic module to an authentication value. TPM 130 may include secure memory, such as non-volatile random access memory, illustrated here as TPM-NV 132, to store the authentication values and/or logic. The authentication values may be hash values, which may be cryptographic hash values.

One or more integrity verification processes may include obtaining integrity check values from, or under control of TPM 130. TPM-NV 132 may contain a hash of a manifest of integrity check values, or a hash of a signing key that signs a manifest that contains integrity check values. Where a manifest list is used, TPM-NV 132 may contain a counter nonce that prevents replay and/or replacement attacks on the manifest list.

TPM 130 may include platform configuration registers (PCRs) to store hash values. TPM 130 may be configured to prevent writing to the PCRs from external devices, such as processor 102. TPM 130 may be configured to permit external devices, such as processor 102, to extend PCR contents, wherein a current value in a PCR is appended with a new value, and a hash is performed on the combined value. The hash result is used a new PCR value. Such hashes may be order dependent to permit PCR contents to indicate the order of measurement appendages. TPM 130 may be implemented in accordance with a Trusted Computing Group Trusted Platform Module (TCG TPM) Specification, Version 1.2, published in October, 2003.

Processor 102 may be configured to access TPM 130 over a link 134 in a secure mode of processor 102, outside of an operating environment of processor 102.

ME 110 may be configured to communicate with TPM 130 over a link 136 to provision authentication values and/or logic updates.

Isolation, security, and access privileges described herein may be implemented with hardware, software, firmware, and combinations thereof.

Computer processor environment 100, or portions thereof, may be implemented on a common integrated circuit (IC) chip or over multiple IC chips mounted on a common circuit board or over multiple circuit boards.

FIG. 2 is a block diagram of exemplary data and computer instruction logic 200, to control one or more of processor 102 and ME controller 112.

Data and instruction logic 200 include:

-   -   pre-boot logic 202 to cause processor 102 to initialize computer         processor environment 100 upon a system reset or power-on;     -   boot logic 204 to cause processor 102 to install drivers,         transient applications, and to prepare to load operating         environment logic;     -   transition/run-time logic 106 to cause processor 102 to host an         operating environment, or to host a virtualized environment for         a plurality of operating environments; and     -   data 201.

Pre-boot logic 202 includes pre-boot μ-hypervisor logic 214, also referred to herein as μ-hypervisor logic 214, to cause processor 102 to configure access protected regions of memory, or μ-contexts, for each of a plurality of executable boot logic modules, including one or more terminate and stay resident (TSR) logic modules that are callable from an operating environment. The μ-contexts are configured prior initiating corresponding ones of the plurality of executable boot logic modules. Pre-boot hypervisor logic 214 includes logic to cause processor 102 to maintain the page-based protected regions of memory, for at least the TSR logic, in the operating environment.

Pre-boot μ-hypervisor logic 214 may reference one or more access control list (ACL) policies, which may be maintained as an ACL policy file, illustrated in FIG. 1 as a μ-hypervisor ACL policy file 222. ACL policies may be expressed in terms of page boundaries to cause processor 102 to distinguish between read, write, and execute access requests. ACL policy file 222 may be stored in a persistent, secure location, such as TPM-NV 132. Alternatively, a hash of ACL policy 222 file may be stored in TPM-NV 132, and ACL policy file 222 may be stored on disk or in flash memory.

ACL policies may be provisioned and managed by ME 110, using OOB link 122 to IT systems 124, link 136 to TPM 130, and/or a link 118 to processor 102.

Pre-boot logic 202, or portions thereof, such as pre-boot μ-hypervisor logic 214, may be authenticated prior to initiation in accordance with TPM 130. Pre-boot logic 200 may include TPM logic 208 to cause processor 102 to authenticate pre-boot μ-hypervisor logic 214 with respect corresponding authentication values 220 in FIG. 2. ACL policy file 222 may be authenticated upon initiation of μ-hypervisor logic 214, and loaded into memory pages that are only accessible by under control of pre-boot μ-hypervisor logic 214.

One or more of the boot logic modules within boot logic 204 may include logic to cause processor 102 to locate, authenticate, load, and initiate a subsequent boot logic module. Pre-boot logic 202 may include logic to locate, authenticate, load, and initiate an initial boot logic module within boot logic 204.

A logic module may be authenticated in persistent storage location, and then loaded and initiated. Alternatively, a logic module may be loaded and then authenticated prior to initiation. Where a logic module is authenticated in accordance with TPM 130, the logic module may be authenticated and/or initiated in memory accessible to and access protected by TPM 130, such as cache 103 or memory 104.

Upon an authentication error or exception, processor 102 may invoke ME 110. ME 110 may be configured to re-provision a logic module and/or corresponding authentication reference value(s), and to force processor 102 to reattempt authentication, with or without a system reset. ME 110 may be configured to evaluate an exception to determine whether the logic module and/or the reference values are correct. ME 110 may be configured to notify IT system 124 of an exception over OOB link 122, and may be configured to receive a replacement logic module and/or authentication reference value(s) over link 122.

Boot logic 204 may include dynamically loadable and callable boot logic modules. FIG. 3 is a process flowchart of an exemplary method 300 of authenticating, loading, and initializing a plurality of such boot logic modules, in corresponding page-based access protected regions of memory. Method 300 is described below with reference to FIGS. 1 and 2 for illustrative purposes. Method 300 is not, however, limited to the examples of FIGS. 1 and 2.

At 302, processor 102 is reset or powered up. Upon the reset, processor 102 may initiate a power on self test (POST).

At 304, a start-up authenticated code module (SACM) 210 is authenticated with reference to a secure authentication value, and loaded and initiated in a secure location, under control of TPM logic 208. SACM 210 is loadable code that runs on processor 102 in a protected execution environment, or authenticated code execution mode, established by TPM logic 208.

TPM logic 208 may include logic to cause processor 102 to load SACM 210 in a TPM protected and TPM addressable memory space, which may include cache 103. TPM logic 208 may include logic to cause processor 102 to use protected memory space as system memory during the pre-boot phase, or a portion thereof.

Alternatively, processor 102 may include microcode to cause processor 102 to read TPM-NV 132 independent of other conventional TPM features.

TPM logic 208 may include a memory cleanup module, such as a SCLEAN module, to initialize cache 103 and/or memory 104. Alternatively, since the processor system has been recently reset or powered up, memory cleanup may be omitted.

TPM logic 208 may include logic to cause processor 102 to authenticate SACM logic 210 in its original persistent storage location and then load and initiate SACM logic 210 in cache 103. Alternatively, TPM logic 208 may include logic to cause processor 102 to load, authenticate, and initiate the SACM in cache 103.

TPM logic 208 may include logic to cause processor 102 to authenticate SACM logic 210 with respect to one or more authentication reference values maintained in a secure location, such as TPM-NV 130 or other memory controlled by ME 110, such as SUS-RAM. Authentication may include comparing a hash of the SACM to an authentication value or signature.

At 308, pre-boot μ-hypervisor logic 214 is authenticated with reference to a secure authentication value, and loaded and initiated in a secure location, under control of SACM 208.

Authentication may be performed with respect to an authentication value stored in read-only memory, such as TPM-NV 130 or other secure memory controlled by ME 110, such as SUS-RAM. Authentication may include an authentication value contained in a white list protected by secure storage, such as TPM-NV 132.

SACM 210 may verify ACL policy file 222 as part of launching pre-boot μ-hypervisor logic 214. Once verified, ACL policy file 222 may be placed in protected memory pages that may be accessible only under control of pre-boot μ-hypervisor logic 214.

Pre-boot μ-hypervisor logic 214, or portions thereof, may be loaded and initiated in cache 103 and/or memory 104. Where μ-hypervisor logic 214, or a portion thereof, is initiated from cache 103, the logic may be transitioned to memory 104 at a later time.

At 312, boot logic modules within boot logic 204 are authenticated with reference to corresponding secure authentication values, and loaded and initiated in corresponding memory μ-contexts configured by pre-boot μ-hypervisor logic 214 according to ACL policy file 222.

The boot logic modules may be authenticated, loaded, and initiated in a serial, or semi-serial fashion, and one or more of the boot logic modules may include logic to cause processor 102 to authenticate, load, and initiate a subsequent boot logic module. A pre-boot logic module may include logic to authenticate, load, and initiate an initial boot logic module.

During this phase of the boot process, memory access requests are trapped into μ-hypervisor logic 214 to cause processor 102 to control memory access in accordance with ACL policy file 222. Unauthorized access requests may cause processor 102 to invoke ME 110 for potential remedial action, which may avoid a boot failure.

At 316, the μ-contexts are transitioned to a run-time environment, which may be a non-virtualized operating environment or a virtualized environment.

Upon an authentication error, at 306 with respect to SACM 210, or at 310 with respect to pre-boot μ-hypervisor logic 214, processing proceeds to 318. At 318, ME 110 may be called to provision one or more new policies and/or images, the boot process may be halted, and processing may return to 302 for reset using one or more new policies and/or images from ME 110.

Upon an authentication error at 314, where the error is not terminal, such as a driver module or transient application, processing may proceed to 322. At 322, ME 110 may be called to provision one or more new policies and/or images, and processing may return to 312 to retry authentication of the module. Otherwise, processing may proceed to 318, as described above.

Boot logic modules within boot logic 204 may include extensible firmware interface (EFI) boot logic modules. EFI is a specification that defines a software interface between an operating system and platform firmware, developed by Intel Corporation and managed by the Unified EFI Forum (UEFI).

FIG. 4 is a block diagram of exemplary data and computer instruction logic 200, wherein pre-boot logic 202 includes firmware interface table (FIT) boot logic 402 and pre-verifier logic 404, and boot logic 204 includes:

-   -   one or more (PEI) modules 406, which may include a PEI         pre-driver execution environment (PEI DXE) module 408;     -   a DXE driver dispatcher module 410;     -   one or more driver modules 412, which may include one or more         terminate and stay resident (TSR) applications that may be         callable from a run-time environment;     -   a boot manager logic module 414; and     -   one or more transient applications 416, which may be callable         from a run-time environment.

Functions and operation of the conventional logic modules are well known. Additional features and logic of logic modules 406-416 are disclosed below.

FIGS. 5A and 5B illustrate a process flowchart of an exemplary method 500 of authenticating and loading logic modules illustrated in FIG. 4.

FIG. 6 is graphical illustration of an exemplary platform boot flow sequence 600 logic modules illustrated in FIG. 4.

In FIG. 5A, at 502, a computer processor system is reset or powered. Upon the reset, the processor may initiate a power on self test (POST).

At 504, the processor may invoke or initiate FIT boot logic 402, which may include microcode, to setup a firmware initialization vector.

At 506, SACM 210 is loaded into TPM addressable memory, substantially as described above with respect to 304 in FIG. 3. Additionally, FIT boot logic 402 may include logic to cause processor 102 to verify an existence and integrity of SACM 210, and to initiate TPM logic 208 to authenticate and load SACM 210. Processor 102 may use TPM logic 208 to enter a secure mode of operation, or may boot directly in a TPM mode. For example, TPM logic 208 may be initiated with an instruction contained within FIT boot logic 402, or may be initiated in response to a FIT pointer to a memory location corresponding to TPM logic 208.

At 508, most significant bits (MSBs) corresponding to TPM 130 may be set to enable TPM 130 and to invoke TPM 130 from microcode. TPM 130 may be invoked, for example, with a SENTER command.

At 510, TPM 130 verifies an integrity of SACM 210, substantially as described above with respect to 304 in FIG. 3.

At 512, upon an authentication error, processing proceeds to 514 for ME processing, as described above with respect to 318 in FIG. 3.

At 516, pre-boot μ-hypervisor logic 214 is verified by SACM 210, substantially as described above with respect to 308 in FIG. 3.

At 518, upon an authentication error, processing proceeds to 514 for ME processing, as described above.

At 520, pre-verifier logic 404 is loaded and verified by pre-boot μ-hypervisor logic 214. Alternatively, pre-verifier logic 404 may be loaded and verified by SACM 210. Alternatively, pre-verifier logic 404 may include μ-hypervisor logic 214, in which case, authentication of pre-boot μ-hypervisor logic 214 is accomplished upon authentication of pre-verifier logic 404. Alternatively, μ-hypervisor logic 214 may be loaded and verified by pre-verifier logic 404. Pre-verifier logic 404 is also referred to herein as a pre-driver execution environment (pre-DXE) BIOS component.

At 522, upon an authentication error, processing proceeds to 514 for ME processing, as described above.

At 524, μ-hypervisor logic 214 creates one or more PEI μ-contexts. Pre-boot μ-hypervisor logic 214 or pre-verifier logic 404 may verify and load PEI modules 406 and 408 into the μ-context(s). Pre-verifier logic 404 or μ-hypervisor logic 214 may include logic to cause processor 102 to implement TPM 130, and may include logic to extend PCRs in TPM-NV 132, as described above. Pre-verifier logic 404 may invoke μ-hypervisor logic 214 to construct a separate μ-context memory container for each PEI logic module 404 and 406, or may construct a μ-context memory container for a plurality of PEI logic module 404 and 406.

At 526, upon an authentication error, processing proceeds to 514 for ME processing, as described above.

At 528, PEI DXE module 408 and μ-hypervisor logic 214 construct a DXE driver dispatcher μ-context for DXE driver dispatcher logic 410. PEI DXE module 408 may invoke μ-hypervisor logic 214 to construct the μ-context and may include logic to authenticate, load, and initiate DXE driver dispatcher logic 410 in the μ-context.

At 530, upon an authentication error, processing proceeds to 514 for ME processing, as described above.

In FIG. 5B, at 532, DXE driver dispatcher logic 410 initiates one or more μ-contexts for driver modules 412, which may include server drivers and device drivers. Driver modules 412 may be dynamically loaded and provisioned, and thus may be provided with corresponding separate μ-contexts by μ-hypervisor logic 214.

Driver modules 412 may be provided by different entities and thus may not be tested for potential incompatibilities with other drivers and operating environment applications. Drivers may also be susceptible to malicious code that may alter, copy, observe, or improperly use a driver module. Providing a separate μ-context memory container around each driver module 412 may help to protect driver modules 412 from unauthorized access and malicious or improper code.

A driver module vendor may specify driver-specific access control policy, which may be included as part of the driver image or which may be provisioned in secure storage (TPM-NV). IT access control policies may be specified and provisioned via secure storage via ME 110. DXE driver dispatcher logic 410 may load, or assign driver code pages to μ-contexts associated with appropriate driver modules 412, and may insert such driver-specific access control policies in ACL policy file 222.

Service and device drivers may include applications that may terminate and stay resident (TSR), which may be callable from within a post-boot run-time environment. Accordingly, ACL policies corresponding to TSR applications may be maintained throughout boot phase and into one or more subsequent run-time environments, as described below.

At 534, upon an authentication error, processing proceeds to 536 for ME processing. At 536, ME 110 is notified and one or more new policies and/or logic images may be received from ME 110. Processing returns to 532 to authenticate the failed driver module 412 with respect to the one or more new policies and/or logic images.

At 538, μ-hypervisor logic 214 creates a μ-context for boot manager logic 414 and verifies boot manager logic 414 memory pages. DXE driver dispatcher logic 410 may include logic to invoke μ-hypervisor logic 214 to construct a dedicated μ-context for boot manager logic 414. Alternatively, boot manager logic 414 may be loaded and initiated within the protected memory space of DXE driver dispatcher logic 410. DXE driver dispatcher logic 410 may include logic to authenticate boot manager logic 414 prior to loading boot manager logic 414 in the protected memory space of DXE driver dispatcher logic 410.

At 540, upon an authentication error, processing proceeds to 536 for ME processing as described above. Processing then returns to 538 to authenticate boot manager logic 414 with respect to one or more new policies and/or logic images.

At 542, boot manager logic 414 invokes μ-hypervisor logic 214 to create one or more μ-contexts for transient applications 416. As with drivers, transient applications pose potential threats to the boot phase environments and to other transient applications. Accordingly, μ-hypervisor logic 214 may creates a separate μ-context for each of a plurality of transient applications 416. As with driver modules 412, one or more of transient application modules 416 may include application-specific access control policies to restrict devices or services that may call into the corresponding application. IT may also provision ACL rules to protect against errant transient applications.

At 544, upon an authentication error, processing proceeds to 536 for ME processing as described above. Processing then returns to 542 to authenticate the failed transient application 416 with respect to one or more new policies and/or logic images.

Pre-boot μ-hypervisor ACL policies may be transitioned to a run-time environment, which may include a native, or non-virtualized operating environment, or a virtualized environment supporting one or more guest operating environments.

Boot manager logic 414 may selectively locate, authenticate, load, and initiate operating system logic 420 in a non-virtualized, or native operating environment, and may selectively locate, authenticate, load, and initiate VMM logic 418 to provide or more guest operating environments. Alternatively, μ-hypervisor logic 214 may transition into a VMM. Boot manager logic 414 may select and configure a run-time environment in accordance with boot option configuration settings.

When a non-virtualized environment is selected at 546, processing proceeds to 548.

At 548, boot manager logic 414 verifies operating system logic 420. At 550, upon an authentication error, processing proceeds to 536 for ME processing as described above. Processing then returns to 548 to authenticate operating system logic 420 with respect to one or more new policies and/or logic images.

At 552, operating system logic 420 is initiated. Pre-boot μ-hypervisor logic 214 may permit boot manager logic 414 to launch the operating system image. The operating system may be provided with direct access to system hardware, while μ-hypervisor logic 214 continues to protect TSR drivers and transient applications when the operating environment calls back into the EFI environment.

When a virtualized environment is selected at 546, pre-boot μ-hypervisor logic 214 may function as, or transition into a post-boot VMM, wherein a virtual machine (VM) partition is constructed, boot manager logic 414 locates, authenticates, loads, and initiates an operating system image into the VM partition, and pre-boot μ-hypervisor logic 214 continues to maintain and enforce pre-boot memory μ-contexts or ACL policies for the VM.

Alternatively, another VMM may be initiated to maintain and enforce pre-boot memory μ-contexts or ACL policies for the VM. In this situation, at 544 and 556, boot manager logic 414 may locate, authenticate, load, and initiate a VMM loader, which may initiate VMM logic 418 in FIG. 4. Alternatively, the VMM loader may part of boot manager logic 414.

The VMM loader then vectors the VMM to an operating system image to be executed in a VM. Pre-boot memory μ-contexts or ACL policies are then migrated to the VMM. Migration may include sending a vector table of the μ-contexts to the VMM as part of the construction of the VMM at 558. The VMM looks for the vector table at initialization and inherits the pre-boot μ-contexts at 560. Attempts to access EFI drivers by post-boot applications 422 are access controlled by the VMM. The vector table contains u-context policies and boundary information that are transferred to the new VMM. When the system transitions away from VMM control, EFI drivers may be forced to reload as from reset.

Methods and systems are disclosed herein with the aid of functional building blocks illustrating the functions, features, and relationships thereof. At least some of the boundaries of these functional building blocks have been arbitrarily defined herein for the convenience of the description. Alternate boundaries may be defined so long as the specified functions and relationships thereof are appropriately performed.

One skilled in the art will recognize that these functional building blocks can be implemented by discrete components, application specific integrated circuits, processors executing appropriate software, and combinations thereof.

While various embodiments are disclosed herein, it should be understood that they have been presented by way of example only, and not limitation. It will be apparent to persons skilled in the relevant art that various changes in form and detail may be made therein without departing from the spirit and scope of the methods and systems disclosed herein. Thus, the breadth and scope of the claims should not be limited by any of the exemplary embodiments disclosed herein. 

1. A method, comprising: defining and enforcing module-specific access controls to memory pages containing boot logic modules, prior to loading and initializing the boot logic modules, to prevent writing to the memory pages and to permit one or more of executing and reading of the memory pages, wherein the boot logic modules include one or more terminate and stay resident boot logic modules that are callable from a run-time environment of a processor; authenticating the boot logic modules prior to initializing the boot logic modules; and enforcing the access controls to the memory pages containing the terminate and stay resident logic in the run-time environment.
 2. The method of claim 1, further comprising: authenticating each of the logic modules with respect to corresponding measurements stored in persistent memory, prior to initiation of each of the boot logic modules; and authenticating μ-hypervisor logic that causes a processor to perform the defining and enforcing, and authenticating corresponding memory access control list policies, with respect to measurements stored in persistent memory.
 3. The method of claim 2, further comprising: notifying a management engine processor upon an authentication exception and receiving policies and images from the management engine processor in response to the notifying.
 4. The method of claim 2, further comprising: authenticating, loading, and initiating one or more of the boot logic modules in response to instructions within another one of the boot logic modules; and authenticating, loading, and initiating an initial one of the boot logic modules in response to instructions within a pre-boot logic module.
 5. The method of claim 1, further comprising: initiating firmware interface table (FIT) logic upon a processor reset; initiating trusted execution logic in response to the FIT logic; authenticating a startup authenticated code module (SACM) with respect to a measurement stored in persistent memory, loading the SACM into a processor memory, and initiating the SACM in the processor memory following authentication of the SACM, in response to the trusted execution logic; and authenticating μ-hypervisor logic that causes the processor to perform the defining and enforcing, and authenticating a corresponding access control list policy file, with respect to measurements stored in persistent memory, and loading and initiating the μ-hypervisor logic under control of the SACM.
 6. The method of claim 5, further comprising: authenticating a pre-verifier logic module with respect to a measurement stored in persistent memory, and loading and initiating the pre-verifier logic module, in response to the SACM; authenticating one or more pre-initialization environment logic modules with respect to a measurement stored in persistent memory, and loading and initiating the one or more pre-initialization environment logic modules, in response to the pre-verifier logic module; authenticating a driver dispatcher logic module with respect to a measurement stored in persistent memory, and loading and initiating the driver dispatcher logic module, in response one of the pre-initialization environment logic modules; authenticating a plurality of driver logic modules with respect to corresponding measurements stored in persistent memory, and loading and initiating the plurality of driver logic modules, in response to the driver dispatcher logic module; authenticating a boot manager logic with respect to a measurement stored in persistent memory, and loading and initiating the boot manager logic, in response to the driver dispatcher logic module; and initiating the run-time environment under control of the boot manager logic.
 7. The method of claim 6, wherein the enforcing the access controls in the run-time environment is performed under control of the μ-hypervisor logic.
 8. The method of claim 6, wherein the initiating the run-time environment includes initiating a virtual machine manager, and wherein the enforcing the access controls in the run-time environment includes sending a vector table corresponding to the access controls to the virtual machine manager.
 9. The method of claim 6, further comprising: notifying a management engine processor upon an authentication exception and receiving one or more of a policy and an image from the management engine processor in response to the notifying; repeating the authenticating of a driver logic module upon an authentication exception of the driver module, in accordance with one or more of a new policy and a new image received from the management engine processor; and resetting the processor upon an authentication exception of one or more of the SACM, the μ-hypervisor logic, the pre-verifier logic, the pre-initialization environment logic modules, and the driver dispatcher logic module, and booting the processor in accordance with one or more of a new policy and a new image received from the management engine processor.
 10. A computer program product including computer readable media having computer program product logic stored therein, the computer program product logic including: μ-hypervisor logic to cause a processor to define and enforce module-specific access controls to memory pages containing boot logic modules, prior to loading and initializing the boot logic modules, to prevent writing to the memory pages and to permit one or more of executing and reading of the memory pages, wherein the boot logic modules include one or more terminate and stay resident boot logic modules that are callable from a run-time environment of the processor, and to cause the processor to enforce the access controls to the memory pages containing the terminate and stay resident logic in the run-time environment; and boot module authentication logic to cause the processor to authenticate each of the boot logic modules with respect to corresponding measurements stored in persistent memory, prior to initiation of each of the corresponding plurality of boot logic modules.
 11. The computer program product logic of claim 10, further comprising: μ-hypervisor authentication logic to cause the processor to authenticate the μ-hypervisor logic and memory access control list policies with respect to measurements stored in persistent memory.
 12. The computer program product logic of claim 11, further comprising: exception handling logic to cause a management engine processor to provision policies and images to the processor upon authentication exceptions.
 13. The computer program product logic of claim 11, wherein one or more of the boot logic modules include logic to cause the processor to authenticate, load, and initiate one or more subsequent boot logic modules, the computer program product logic further comprising pre-boot logic to cause the processor to authenticate, load, and initiate an initial one of the boot logic modules.
 14. The computer program product logic of claim 10, further comprising: a startup authenticated code module (SACM) to cause the processor to authenticate the μ-hypervisor logic and an access control list policy file with respect to measurements stored in persistent memory; trusted execution logic to cause the processor to authenticate the SACM with respect to a measurement stored in persistent memory, to load the SACM into a processor memory, and to initiate the SACM in the processor memory following authentication of the SACM; and firmware interface table logic to cause the processor to initiate the SACM and the trusted execution logic upon a processor reset.
 15. The computer program product logic of claim 14, wherein the boot logic modules include: a boot manager logic module to cause the processor to authenticate one or more transient applications and a run-time environment with respect to corresponding measurements stored in persistent memory, and to load and initiate the one or more transient applications and the run-time environment, wherein the run-time environment includes one or more of operating system logic and virtual machine manager logic; a driver dispatcher logic module to cause the processor to authenticate the boot manager logic module with respect to a measurement stored in persistent memory, and to load and initiate the boot manager logic module, and to cause the processor to authenticate each of a plurality of driver logic modules with respect to corresponding measurements stored in persistent memory, and to load and initiate each of the plurality of driver logic modules; and one or more pre-initialization environment logic modules to cause the processor to initiate processor resources and to authenticate the driver dispatcher logic module with respect to corresponding measurements stored in persistent memory, and to load initiate the driver dispatcher logic module; wherein the computer program product logic further including a pre-verifier logic module to cause the processor to authenticate the one or more of the pre-initialization environment logic modules with respect to corresponding measurements stored in persistent memory, and to load and initiate the one or more of the pre-initialization environment logic modules; and wherein the SACM includes logic to cause the processor to authenticate the pre-verifier logic module with respect to a measurement stored in persistent memory, and to load and initiate the pre-verifier logic module.
 16. A system, comprising: a processor; system memory coupled to the processor; and a computer program product including computer readable media having computer program product logic stored therein, including: μ-hypervisor logic to cause the processor to define and enforce module-specific access controls to memory pages containing boot logic modules, prior to loading and initializing the boot logic modules, to prevent writing to the memory pages and to permit one or more of executing and reading of the memory pages, wherein the boot logic modules include one or more terminate and stay resident boot logic modules that are callable from a run-time environment of the processor, μ-hypervisor logic including logic to cause the processor to enforce the access controls to the memory pages containing the terminate and stay resident logic in the run-time environment; and boot module authentication logic to cause the processor to authenticate each of the boot logic modules with respect to corresponding measurements stored in persistent memory, prior to initiation of each of the corresponding plurality of boot logic modules.
 17. The system of claim 16, wherein one or more of the plurality of boot logic modules include logic to cause the processor to authenticate, load, and initiate one or more subsequent boot logic modules, the computer program product logic further including pre-boot logic to cause the processor to authenticate, load, and initiate an initial one of the plurality of boot logic modules.
 18. The system of claim 16, wherein the computer program product logic further includes: a startup authenticated code module (SACM) to cause the processor to authenticate the μ-hypervisor logic and an access control list policy file with respect to measurements stored in persistent memory; trusted execution logic to cause the processor to authenticate the SACM with respect to a measurement stored in persistent memory, to load the SACM into a processor memory, and to initiate the SACM in the processor memory following authentication of the SACM; and firmware interface table logic to cause the processor to initiate the SACM and the trusted execution logic upon a processor reset.
 19. The system of claim 18, wherein the computer program product logic further includes: a boot manager logic module to cause the processor to authenticate one or more transient applications and a run-time environment with respect to corresponding measurements stored in persistent memory, and to load and initiate the one or more transient applications and the run-time environment, wherein the run-time environment includes one or more of operating system logic and virtual machine manager logic; a driver dispatcher logic module to cause the processor to authenticate the boot manager logic module with respect to a measurement stored in persistent memory, and to load and initiate the boot manager logic module, and to cause the processor to authenticate each of a plurality of driver logic modules with respect to corresponding measurements stored in persistent memory, and to load and initiate each of the plurality of driver logic modules; and one or more pre-initialization environment logic modules to cause the processor to initiate processor resources and to authenticate the driver dispatcher logic module with respect to corresponding measurements stored in persistent memory, and to load initiate the driver dispatcher logic module; wherein the computer program product logic further including a pre-verifier logic module to cause the processor to authenticate the one or more of the pre-initialization environment logic modules with respect to corresponding measurements stored in persistent memory, and to load and initiate the one or more of the pre-initialization environment logic modules; and wherein the SACM includes logic to cause the processor to authenticate the pre-verifier logic module with respect to a measurement stored in persistent memory, and to load and initiate the pre-verifier logic module.
 20. The system of claim 19, further comprising: a management engine processor coupled to the processor; and exception handling logic to cause the management engine processor to provision policies and images to the processor upon authentication exception. 